Indian companies spend more on security for protecting vital information, said a McAfee study. According to the study, 35 per cent of Indian, 33 per cent of Chinese and 27 per cent of Brazilian firms reported spending 20 per cent or more of the IT budgets on security. McAfee Inc released the findings from the first global study on the security of information economies.
In the study, ‘Unsecured Economies: Protecting Vital Information’, security experts and senior IT decision makers reveal the extent to which the economic downturn is set to impact the security of vital information as CIOs attempt to secure critical information across continents and companies.
The study was commissioned by McAfee, Professors Karthik Kannan, Jacquelyn Rees and Eugene H. Spafford from Purdue University and the Center for Education and Research in Information Assurance and Security (CERIAS).
International research firm Vanson Bourne surveyed more than 1,000 senior IT decision makers in the U.S., U.K., Japan, China, India, Brazil and the Middle East.
According to Dave DeWalt, President & CEO, McAfee, Inc., “As the world faces one of the worst recessions in recent memory, protecting a company’s critical information assets like intellectual property and sensitive data has never been more important, yet challenging.”
Motivated and gaining competitive advantage
Developing countries are more motivated and spend more on protecting intellectual property than their Western counterparts. India, Brazil and China spent more money on security than Germany, UK, US and Japan, the study said.
When comparing the motivators of information security investments, there is a striking difference in attitude. It appears that decision makers in many countries, particularly developed ones, are reactive rather than proactive. Compliance with regulation is the key motivator in Dubai, Germany, Japan, the U.K., and the U.S. Seventy-four per cent of Chinese and 68 per cent of Indian respondents, however, reported making decisions based on gaining and/or maintaining a competitive advantage in attracting customers or clients, the report stated.
The developed countries that proportionally spent less on protecting their vital information were — 20 per cent of German, 19 per cent of U.S., 10 per cent of Japanese, and four per cent of U.K. firms. The U.K. reported the least amount of spend on security as a percentage of their IT budget, with 44 per cent of the U.K. respondents spending zero to five per cent of their IT budgets on security.
Well-defined business plan
The McAfee report revealed that while societal protection (enforcement and other actions) of information assets is weaker in India and China than in developed countries, the company level organizational commitment in these countries is not. For example, a manager in an Indian IT outsourcing company mentioned, even before the recent Mumbai attacks, that his company had well-defined business continuity plans and has drills once every six months, sometimes even pretending a terrorist attack took out one of its sites.
To make matters worse, there are a minority of companies in some countries who did not pursue a security incident. This suggests that when intellectual property is stolen in certain countries, it will not be reported.
Interestingly, 24 per cent and 22 per cent, respectively, of Dubai and Indian firms did not investigate security incidents because of a lack of “cooperation,” the study said.
Extreme measures for extreme situations
The study revealed that companies take drastic steps to lock down information. Some companies are responding to the increased insider threat by locking down USB ports and CDROM drives on the computers provided to employees. This technique is used by many Indian IT companies, as well as all over the world. Other extreme measures include requiring managers to be copied on all email sent outside the organization and monitoring print queues for potential leaks by employees.
Such drastic measures often reduce productivity and actually can cost companies more in resources than simply imposing the right policies, enforcing those policies and using the right protection security solutions.
China, Russia, Pakistan pose biggest threats to vital information Three countries, in particular, stood out to the survey respondents-perhaps reflecting broader security perceptions. Respondents cited China, Pakistan and Russia as the worst-rated countries when it comes to the protection of digital assets, the study remarked.
Pakistan, China and Russia, in that order, were also perceived to have the worst reputations for pursuing or investigating security incidents or threats.
Reputation rating
The study cited respondents saying that corruption among law enforcement and the legal systems as well as poor skills among law enforcement as top reasons for the reputation rating. The threats in China and, to a lesser extent, India, are of concern to U.S. companies, but Indian and Chinese respondents rate threats lower in each others’ countries.
For example, Indian respondents rated China as less than a threat to sensitive data than Pakistan (38 per cent versus 61 per cent), and Chinese respondents rated India as less of a threat (38 per cent) than the U.S. (47 per cent), Taiwan (41 per cent) and the same as Japan (38 per cent). While Chinese respondents reported that they most avoid India due to intellectual property concerns (24 per cent), far fewer Indian respondents would avoid China (11 per cent).
According to 18 per cent of Indian respondents, regulations exist to protect information assets but are not enforced. Interestingly, Indian and Chinese companies appear to be worried about the strict U.S. laws.
Similarly, Indian companies are particularly concerned with strict privacy laws in U.K. but not about similar laws in Germany. India’s reputation as a less-favored place for storing and/or processing data may be due to the attention-grabbing hea lines when they began increasing their outsourcing operations for many countries.
These headlines have undoubtedly made many companies nervous. With such headlines, certainly, cases do exist in which companies have opted not to do business in India: a Canadian mobile weighing machine company refused a request from an Indian company to manufacture and market the product in India primarily because of intellectual property concerns.
However, in India, CSOs from the leading Indian software companies (collectively known as SWITCH: Satyam, Wipro, Infosys, Tata, Cognizant, and HCL), have started to work together to deal with the common issues they face in protecting their vital information. They meet once every six months to discuss customer problems with respect to threats and process changes to address those threats, the report added.
